[Oisf-users] Can Suri detect protocols on non-standard ports?

Cooper F. Nelson cnelson at ucsd.edu
Tue Aug 19 17:29:28 UTC 2014


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

This is extremely interesting to me.

At what point is the session identified/dropped?  I assume the three-way
handshake gets through and the protocol is identified by the first
ACK-PUSH by the client?  Will suri queue the packets until the protocol
is identified and then immediately drop the flow (so there is no
information leakage other than the SYN packets?).

- -Coop

On 8/19/2014 10:21 AM, Victor Julien wrote:
> 
> # IPS, enforce
> drop tcp any any -> any 80 (msg:"SURICATA DROP Port 80 but not HTTP";
> flow:to_server; app-layer-protocol:!http; sid:993001;)
> drop tcp any any -> any 443 (msg:"SURICATA DROP Port 443 but not
> SSL/TLS"; flow:to_server; app-layer-protocol:!tls; sid:993002;)
> drop tcp any any -> any 993 (msg:"SURICATA DROP Port 993 but not
> SSL/TLS"; flow:to_server; app-layer-protocol:!tls; sid:993003;)
> 
> 

- -- 
Cooper Nelson
Network Security Analyst
UCSD ACT Security Team
cnelson at ucsd.edu x41042
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)

iQEcBAEBAgAGBQJT84l4AAoJEKIFRYQsa8FW4/QH/3YDrB9PQIFNhmopbL13uphU
Km+l8EHaoQNgfl+wZrtOKivEUftyq7OVFsBkFSn71TeGQHcEF+8i/6uUjcl3Aosq
aVuHRbhIobI0h8zU5OxWVW5K7JeF8kjeC/qba8Pnv5pyR79Lmp1MQsl21UmrruVn
Pstr2qH6fn0QpilTCw2StpeSmG8jfcsir9mR93ko//ZRRgkVN0qRRpZgbKm2hNSL
UG50hGRpyWMKypd/RI+ZxEkvj/Jh1SRfxF2JoucfAonhhzX1/CIbWa3lXyH+UoKb
2L7LAiZN7HxEaXnpiOY68AIRIXga07C6gj08o/F+rWSdIqNUxo+y2phC9xQI9MQ=
=KceX
-----END PGP SIGNATURE-----



More information about the Oisf-users mailing list